<p>Predefined permissions, also known as <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl">canned ACLs</a>,
are an easy way to grant large privileges to predefined groups or users.</p>
<p>The following canned ACLs are security-sensitive:</p>
<ul>
  <li> <code>PUBLIC_READ</code>, <code>PUBLIC_READ_WRITE</code> grant respectively "read" and "read and write" privileges to anyone, either
  authenticated or anonymous (<code>AllUsers</code> group). </li>
  <li> <code>AUTHENTICATED_READ</code> grants "read" privilege to all authenticated users (<code>AuthenticatedUsers</code> group). </li>
</ul>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> The S3 bucket stores sensitive data. </li>
  <li> The S3 bucket is not used to store static resources of websites (images, css …​). </li>
</ul>
<p>There is a risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>It’s recommended to implement the least privilege policy, i.e., to only grant users the necessary permissions for their required tasks. In the
context of canned ACL, set it to <code>PRIVATE</code> (the default one), and if needed more granularity then use an appropriate S3 policy.</p>
<h2>Sensitive Code Example</h2>
<p>All users, either authenticated or anonymous, have read and write permissions with the <code>PUBLIC_READ_WRITE</code> access control:</p>
<pre>
const s3 = require('aws-cdk-lib/aws-s3');

new s3.Bucket(this, 'bucket', {
    accessControl: s3.BucketAccessControl.PUBLIC_READ_WRITE // Sensitive
});

new s3deploy.BucketDeployment(this, 'DeployWebsite', {
    accessControl: s3.BucketAccessControl.PUBLIC_READ_WRITE // Sensitive
});
</pre>
<h2>Compliant Solution</h2>
<p>With the <code>PRIVATE</code> access control (default), only the bucket owner has the read/write permissions on the bucket and its ACL.</p>
<pre>
const s3 = require('aws-cdk-lib/aws-s3');

new s3.Bucket(this, 'bucket', {
    accessControl: s3.BucketAccessControl.PRIVATE
});

new s3deploy.BucketDeployment(this, 'DeployWebsite', {
    accessControl: s3.BucketAccessControl.PRIVATE
});
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl">AWS Documentation</a> - Access control list (ACL)
  overview (canned ACLs) </li>
  <li> <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html">AWS Documentation</a> - Controlling access to a bucket with
  user policies </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/732">CWE-732 - Incorrect Permission Assignment for Critical Resource</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/284">CWE-284 - Improper Access Control</a> </li>
  <li> <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html">AWS CDK version 2</a> - Class Bucket (construct) </li>
</ul>
